Minimum Baseline Security Standard for OpenMRS (MBSS)

Best Practices and Security Considerations Document 
This document outlines the  Minimum Baseline Security Standard (MBSS) where the core security principles and best practices tailored specifically for OpenMRS implementations are defined. It covers essential areas including network security, server hardening, data protection, authentication and authorization.

This work was contributed by IntelliSOFT Consulting Ltd. in September 2024 thanks to a generous grant from Digital Square for CyberSecurity improvement work, organized by OpenMRS Inc.

Table of Contents

Abbreviation/Acronym

Definition

AAA

Authentication, Authorization, and Accounting

API

Application Programming Interface

DNS

Domain Name System

HTTP

Hypertext Transfer Protocol

HTTPS

Hypertext Transfer Protocol Secure

NTP

Network Time Protocol

REST

Representational State Transfer

SOAP

Simple Object Access Protocol

TTL

Time-to-Live

TLS

Transport Layer Security

JWT

JSON Web Token

LDAP

Lightweight Directory Access Protocol

Introduction

With the increasing number of systems, services, and integrations that organizations implementing the OpenMRS system continue to deploy within their environments, it is mandatory to define a minimum security baseline required to ensure that all services respond to a minimum level of assurance and none of which will impose a threat to the system and\network, thereby affecting the availability of the OpenMRS services. The minimum baseline standards provide a point of reference for all the stakeholders interacting with the platform allowing the system developers, administrator and integrators to incorporate security measures by design in the implementation of the OpenMRS system. 

The minimum baseline standard lays the guardrails for incorporating the three fundamental principles of information security in the implementation of the OpenMRS system as defined below:

  1. Confidentiality: Protecting sensitive information from unauthorized access, disclosure, or misuse. This ensures that only those with legitimate business needs can view or use data.

  2. Integrity: Maintaining the accuracy and completeness of information. This prevents data from being modified, destroyed, or corrupted.

  3. Availability: Ensuring that information and systems are accessible when needed. This prevents disruptions to business operations due to system failure or cyberattacks.

The document addresses different areas of interest in the implementation of the OpenMRS system including: 

  • Operating Systems and Platform Configurations 

  • System Security Architecture

  • Accountability

  • Access Control 

  • Data Security and Privacy 

  • Third-Party Security 

  • Application and API Security 

 

Scope Questionnaire 

The scope questionnaire allows the end user of the minimum baseline standards and the policy administrators to effectively determine the boundaries of  application of the standards based on the deployment environment and/or the service being integrated and/or the implementing parties 

No.

Question

Answer (YES/NO)

Instructions

1

Does the project process, store, and/or transfer personal data, sensitive or confidential data?

 

 

Please also answer the Data Privacy and Data Protection worksheets

2

Does the solution provide or access an API(s) either internally or externally using HTTP-based interfaces such as SOAP, REST, or JSON?

 

Please also answer the Application and API worksheet

3

Is the solution partially or fully hosted in a cloud?

 

 

4

Is any 3rd party company involved in one or more of the following activities:

  • development

  • maintenance/operations

  • integration

  • testing

  • support

  • data processor

  • joint venture

 

 

 

 

Secure Network and Physical Environment

 

No.

Question

Answer (YES/NO)

Instructions

1

Has the hosting server(s) been secured in a locked rack or an area with restricted access?

 

 

2

Has all the non-removable media been configured with file systems with access controls enabled?

 

 

3

Has the server(s) been set up in an environment with appropriately restricted network access. ?

 

 

4

Has the server(s) been set up to display a trespassing banner at login. ?

 

 

 

Patching/ Server Maintenance

System Hardening Features

System hardening is the practice of reducing a system's vulnerability by reducing its attack surface. Hardening may involve a reduction in attack vectors by culling the pathways, or vectors, attackers would use. 

 

No.

Question

Answer (YES/NO)

Instructions

1

Have all system components (OS, DB, applications, network devices) been hardened according to specified guidelines as well as specifications provided by the product manufacturer?

 

 

2

Have all servers and applications been configured to disable/prevent access by trusted communities and systems (such as the use of .rhosts and .shosts for UNIX)?

 

 

3

Have all software (OS, application, DB) packages and modules not required for this system been deactivated and removed (where possible) from the system?

 

 

4

Has an account been created with adequate permissions eg. With sudo rights to facilitate continuous compliance scans on all system components even after go-live

 

 

 

Patch Management and Vulnerability Reporting

The patch and vulnerability management program (PVMG) outlines the requirements for keeping the organization’s systems updated with the most current versions of their software. PVMG ensures that the organization installs remediation patches for known vulnerabilities and exposures. 

 

No.

Question

Answer (YES/NO)

Instructions

1

Is the most recent version in use with the latest security patches/service packs applied across all components?

 

 

2

Have all patch and non-patch vulnerabilities been tested and remediated before the system go-live?

 

 

3

Has an exhaustive list of all the installed security patches and modifications been provided?

 

 

4

Does the supplier/vendor support the provision of Security patches for any Critical or high-risk vulnerabilities within 30 days of notification?

 

 

5

Is there a documented maintenance process to keep applications and operating systems at the latest practical patch levels? 

Where is it documented? ___________________________________

 

 

6

Is there a documented maintenance process that includes a reasonable timetable for the routine application of patches and patch clusters (service packs and patch rollups)?

 

 

7

Is there a  process to inventory the current level of patches specific to this server

 

 

8

Is there a process for monitoring patch installation failures

 

 

 

Security Logging

Logging refers to the practice of collecting events on security-related activities, such as user authentication, access control, and intrusion detection. The logs are essential for identifying and investigating potential security breaches, which may affect the availability, integrity, and confidentiality of information systems. 

 

No.

Question

Answer (YES/NO)

Instructions

1

Is the server configured with appropriate real-time OS/application logging turned on.?

 

 

2

Does the system provide the capability to automatically forward audit logs to an external SIEM solution?

 

 

3

Has the integration to the monitoring platform/SIEM been configured and working?

 

 

4

Has the logging configuration been configured to include the following:

  • All authentication

  • Privilege escalation

  • User additions and deletions

  • Access control changes

  • Job schedule start-up

  • System integrity information

  • Correct log timestamps

 

 

5

Has the right timestamp for logging been configured?

 

 

6

Have the security log files protected against manual modification even by the super user and methods applied documented?

 

 

7

Has access to audit logs been safeguarded to prevent any possible misuse or compromise? Describe how this has been achieved.

 

 

System Integrity Controls

In order to ensure that the system functions in the way that it is designed to operate, the system security must be configured such that there is no interference with its operation configuration. 

 

No.

Question

Answer (YES/NO)

Instructions

1

Have configurations to restrict changes to startup procedures been implemented?

 

 

2

Have all the unused services been disabled?

 

 

3

Has anti-virus software been installed on the hosting server

 

 

4

Has the server been configured behind the firewall/IPS?

 

 

5

Has the server been added to AAA servers?

 

 

6

If available, has the hardware-based system integrity control been enabled?

 

 

7

Has the authoritative source for NTP been configured?

 

 

8

Has the authoritative source for DNS been configured?

 

 

 

Vulnerability Assessment

This is the process through which the organization assesses its information security system for security weaknesses. Vulnerability assessment allows the organization to discover and remediate the identified vulnerabilities before taking the systems, platform, or application to production. 

 

 

No.

Question

Answer (YES/NO)

Instructions

1

Has a pre-production configuration or vulnerability assessment been performed on the server and its services?

 

 

2

Has a copy of the configuration and/or vulnerability assessment reports done at the initial server configuration been retained for possible future use by the ISO

 

 

3

Has the implementation ensured a passage for the vulnerability scanners?

 

 

4

Has the vulnerability assessment report been reviewed by the security and risk team and documented for future reference?

 

 

Backup, Restore, and Business Continuity

Backup is the process of copying information or processing status to a redundant system, service, device, or medium that can provide the needed processing capability when needed. Backups, restoration, and business continuity ensure that the organization continues to provide services even when its primary production site is unavailable. 

 

No.

Question

Answer (YES/NO)

Instructions

1

Is there a definition of the backup plan according to the following four types of data:

  • System (Operating System and Applications) data

  • User Data (the data specific to each part of the system that is susceptible to being modified frequently)

  • Confidential Information (relating to the architecture of the network or subscribers)

  • Log (the set of traces on what is made on/from each part of the system).

 

 

 

2

Has the backup for the operational and mission-critical data been configured?

 

 

3

Has backup for all servers with operation critical data been documented?

 

 

 

4

Does the backup documentation include system and application restoration (including configurations) and data restoration procedures to support business continuity and disaster recovery planning?

 

 

5

Has there been defined a specific account for back-up and restore actions on the system, especially on database servers, with rights restricted to only the required actions (back-up and restore)?

 

 

6

Have all the backup / restore actions been restricted to a specific server with an account dedicated to this action?

 

 

7

Have passwords and login used for the backup/restore server been stored securely and encrypted while in transit?

 

 

8

Restoration backups are logically accessible 

 

 

9

Measures to transmit server back-ups securely have been put into place.

 

 

10

Back-up media is compliant with the Portable Media Security Standard

 

 

11

Are the mechanisms to protect the system against attacks described including how the system restricts access during an attack or system failure?

 

 

Data Security and Privacy 

Data privacy involves ensuring the proper usage, collection, retention, deletion, and storage of data. It involves putting various administrative and logical controls to ensure that data is only accessible to the right and intended users. Data security, on the other hand, combines policies, methods, and means to secure data while at rest, being processed in transit. Data security ensures that the data remains available, consistent, complete, and valid. In order to ensure privacy and anonymity, data must be de-identified rendering it useless in the hands of the unintended users and platforms. As illustrated in the figure below, this can be achieved through pseudonymization and anonymization.   The checklist provided below evaluates the provision for all the security controls on the data while at rest, in transit, or in processing. 

 

No.

Question

Answer (YES/NO)

Instructions

 

Data Security

 

 

1

Have technical measures been put in place to safeguard data security by validating input from users or other systems/applications via all interfaces? Describe

 

 

2

Is Critical / Confidential data secured while in storage or transmission by 256-bit or higher level of encryption?

 

 

3

Has the data/document been classified according to the data classification guideline/standard and marked with the right classification label?

 

 

4

Is the change of the classification labels restricted only to the security administrator?

 

 

5

Have passwords been securely stored via a strong one-way hash function of at least 256-bit?

 

 

6

Are there adequate controls to ensure customer data confidentiality and suppliers' liability is covered in case of breach of security and leakage of confidential customer-related information?

 

 

7

Has all third-party access been configured to use strong authentication?

 

 

8

Does the system provide an access control mechanism to be able to show which data entities/transactions any particular individual may read, modify, or execute (given a user ID) and conversely, which individuals may read, modify, or execute any given data entity/transaction?

 

 

9

Does the system provide the capability to create or modify different access control levels \ roles (i.e. admin, developer, end-user) according to ‘user privileges’ and user roles/job descriptions?

 

 

 

Data Privacy 

 

 

1

What data is being collected, processed, stored, transferred(give examples)

 

 

2

Is there a mechanism for collecting and storing consent to process the data

 

 

3

Do you intend to process information regarding health status, ethnic, race, biometrics, sexual orientation, genetic data

 

 

4

How long do you intend to store the data? Please share a data retention timeline.

 

 

5

How will you purge the data after the retention timeline has expired? Please share purging guidelines.

 

 

6

Are there any third parties involved in the process?

 

 

 

Is there any existing agreement with the third party?

 

 

7

Is there justification for all sets of data being collected/processed?

 

 

8

Is the system configured to enforce the use of encrypted connections (e.g. TLS v1.3) by customers for services that transfer sensitive data?

 

 

9

Do all interfaces/Protocols that are exposed outside the security domain provide for encryption and authentication to guidelines and commercial best-practice standards?

 

 

10

Do encryption methods and algorithms conform to standards and use the latest versions of cryptographic libraries?

 

 

11

Is the system configured to store all security-sensitive information and personal data in an encrypted format or with the appropriate protection mechanisms? Describe

 

 

12

Is data used for system development and/or testing purposes depersonalized to differentiate from data located on the production system?

 

 

13

When media used by the system is to be disposed of or reused, are necessary measures taken to prevent any subsequent retrieval of personal data and other information stored?

 

 

 

Application and Application programming interface (API) Security

Application security refers to the iterative process of developing, adding, and testing security features within applications to prevent security vulnerabilities against threats such as unauthorized access and modification. Application security extends to API security, which considers the embedment of security in the development and operation of APIs. 

 

No.

Question

Answer (YES/NO)

Instructions

1

Has versioning been implemented for the API and the application?

 

 

2

Does the  API and the application conform to the organization's set style and design guidelines such as formatting of headers for consistency?

 

 

3

Is every request to the API or web service authenticated?

 

 

4

Has MFA been implemented for externally facing APIs; e.g. use of a certificate as a second factor of authentication? 

 

 

5

Is there an implementation for anti-brute force mechanisms on authentication endpoints such as account lock-outs, use of Max Retry, and jail features in Login?

 

 

6

Does the system implement JSON Web Token (JWT)? 

 

Has the below been checked?

 

  1. Use a random complicated key (JWT Secret) to make brute-forcing the token very hard.

  1. Don't extract the algorithm from the header. Force the algorithm in the backend (HS256 or RS256).

  1. Make token expiration (TTL, RTTL) as short as possible.

  1. Don't store sensitive data in the JWT payload, it can be decoded easily.

 

 

 

7

Does the system implement  OAuth 2.0?

 

Ensure:

 

  1. Always validate redirect_uri server-side to allow only whitelisted URLs.

  1. Always try to exchange for code and not tokens (don't allow response_type=token).

  1. Use a state parameter with a random hash to prevent CSRF on the OAuth authentication process.

  1. Define the default scope, and validate scope parameters for each application.

 

 

 

8

Does the deployment implement authorization mechanisms?

 

 

9

Do the issued authentication and authorization tokens have a set expiry time?

 

 

10

Does the response from the API call return only legitimate data and does not return excessive or sensitive data?

 

 

11

Have the verbose error messages been customized so as not to reveal too much information?

 

 

12

Is HTTPs implemented for the API and the applications? 

 

 

13

Has a limit on how often a client can call the API within a defined timeframe been implemented?

 

 

14

Has a limit for the maximum size of data on all incoming parameters and payloads such as maximum length for strings and maximum number of elements in arrays been implemented?

 

 

15

Has content-type for your response been enforced i.e. If you return application/json, then your content-type response is application/json.

 

 

16

Has the limit for the number of returned records to prevent mass disclosure in case of injection been implemented?

 

 

17

Is there a validation, filtering, and sanitizing mechanism for all client-provided data, or other data coming from integrated systems?

 

 

18

Does the API or application log all failed authentication attempts, denied access, input validation errors, and rate limit errors?

 

 

Access Control 

Access control is a data security control process that enables organizations to manage who is authorized to access corporate data and resources. Secure access control uses policies that verify users are who they claim to be and ensure appropriate levels of access are granted to users. The checklist below provides guidance for minimum baseline standards for controlling secure access to the platform.

 

No.

Question

Answer (YES/NO)

Instructions

 

Password Policy

 

 

1

Are passwords stored hashed or in a one-way encrypted form that is inaccessible by all users? Only algorithms specifically designed for password storage shall be used.

 

 

2

Is the strength of passwords used with the operation and maintenance accounts system enforced?

 

 

3

Does the system allow for Secure Lightweight Directory Access Protocol (LDAP) authentication using either Microsoft Windows Active Directory or Oracle Identity Manager (IDM)

 

 

4

Does the system provide a configurable mechanism as provided in the password standard( embedded below ):

  • to detect and block simple passwords (e.g. 123456, abcdef, identical username & password, etc.)?

  • check that the password does not contain more than two successive identical characters.

  • To allow only a minimum length of 8 characters

  • Users must be prevented from reusing the last 12 passwords

  • To allow only the administrator to reset the passwords?

  • Not to allow hard-coded passwords (i.e. no service/application user passwords displayed in source code)?

 

 

 

5

Is the password checking mechanism case sensitive?

 

 

6

Does the system force the user to enter their current password as well as their new password when carrying out a password change?

 

 

7

Does the system provide a password change confirmation procedure?

 

 

8

Are end users able to directly change their user passwords?

 

 

 

Account Management

 

 

1  

Are passwords changeable by the end user only after providing the current password, and by the system administrator (from the administration panel) without restriction?

 

 

2

Does the system provide the capability to lock/deactivate/suspend or delete certain accounts/userIDs either manually or automatically?

 

 

3

Does the system force users to reset initial passwords on the first login? i.e. system should then force the initial password to be changed

 

 

4

Is there a use case for a shared account?

Has the below mechanisms and processes been put in place:

 

a) restrict the ability to use a shared account to only those users who need it to perform their role.

b) remove the ability to use a shared account in a timely manner when users who have been authorized to use it change their role or leave the organization.

c) The use of shared accounts must be linked to the user’s identity at all times, with logging enabled to identify misuse.

d) Passwords must be a minimum of 14 characters long

 

 

 

5

Does the system provide the capability to print a list of all possible access privileges, a specific user's access privileges and comparison tables between different userIDs?

 

 

 

User Identification and Authentication

 

 

1

Does the system support Multi-factor authentication (such as two-factor authentication) in use for access to the system or classified sensitive data?

 

 

2

Are all users allocated a unique user ID for the sole use of the individual?

 

 

3

Is access to the logging system and data restricted to privileged accounts and user profiles (e.g. root, system administrator)?

 

 

4

Are all accounts/access profiles protected with a password?

 

 

5

All default accounts and credentials must be changed or removed/disabled

 

 

6

Is there a use case for functional accounts?

Is there a documented and approved list of all human users accountable and responsible for the generic and functional accounts across the OS, DB, and application 

 

 

 

System Log and Access Control

 

 

1

Does the system provide the capability to detect multiple logons from the same user ID and restrict users to one session at a time?

 

 

2

Is the number of unsuccessful log-on attempts limited to, at most, three attempts per session; afterwards the session will be terminated?

 

 

3

Does the system support automatic user locking after: 

i. A configurable period (for example 90 days) with no successful logins by a user and the user account is dormant

ii. A configurable number of continuous unsuccessful log-on attempts targeting the same user account or originating from the same source IP address? 

 

 

 

4

Is there a notice displayed indicating that only authorized users are allowed access to the system in accordance with any legal/corporate obligations?

 

 

5

Does the system require users to enter their passwords (after a certain period of inactivity/time-out to be defined and configured centrally) before the session can be restarted?

 

 

For more detailed content, see the section Sample Security Guidance & Policy Documents